feat: add base image detection and FROM line update for base image CVEs

vmrh21 · claude · vmrh21 · commit 60d6f70313c8 · 2026-04-06T11:01:28.000-04:00
When a vulnerable package is not found in application manifests
(requirements.txt, go.mod, package.json), check if it comes from
the container base image (Dockerfile.konflux FROM line):

- Use skopeo list-tags to check for newer base image tags
- If newer tag available: update FROM line → real PR with note to
  verify the fix is included in the new tag before merging
- If no newer tag: add Jira comment asking base image team (e.g. AIPCC
  for quay.io/aipcc/*) to release updated image → no PR created
- If no Dockerfile found: fall back to transitive dependency guidance

This covers both the general "base image CVE" case and the AIPCC-specific
scenario with a single generic mechanism — no AIPCC-specific handling needed.

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/workflows/cve-fixer/.claude/commands/cve.fix.md b/workflows/cve-fixer/.claude/commands/cve.fix.md
@@ -393,14 +393,69 @@ Summary:
    - **Package found at a version** → compare against CVE affected version range
      - If version is in affected range → proceed with fix
      - If version is already patched → mark as already fixed (see below)
-   - **Package not found in any manifest** → it may be transitive or RPM-installed
+   - **Package not found in any manifest** → check whether it comes from the base image (Step 5.2.1b below) before falling back to transitive/RPM handling
+
+   **5.2.1b: Base image check (when package not found in application manifests)**
+
+   The package may be pre-installed in the container's base image rather than declared by the application.
+
+   ```bash
+   # Find Dockerfile.konflux (or Dockerfile) in the repo root
+   DOCKERFILE=$(ls Dockerfile.konflux Dockerfile.konflux.* Dockerfile 2>/dev/null | head -1)
+
+   if [ -n "$DOCKERFILE" ]; then
+     # Extract FROM line(s) — may be multiple stages
+     BASE_IMAGES=$(grep -E '^FROM ' "$DOCKERFILE" | awk '{print $2}')
+     echo "Base images in use: $BASE_IMAGES"
+   fi
+   ```
+
+   **For each base image found:**
+   ```bash
+   for BASE_IMAGE in $BASE_IMAGES; do
+     REGISTRY=$(echo "$BASE_IMAGE" | cut -d/ -f1)
+     IMAGE_REF=$(echo "$BASE_IMAGE" | sed 's/:.*$//')  # strip tag
+     CURRENT_TAG=$(echo "$BASE_IMAGE" | grep -oP '(?<=:)[^@]+' || echo "latest")
+
+     echo "Checking for newer tags of: $IMAGE_REF (current: $CURRENT_TAG)"
+
+     # List available tags (works for quay.io, registry.access.redhat.com, etc.)
+     AVAILABLE_TAGS=$(skopeo list-tags "docker://${IMAGE_REF}" 2>/dev/null | \
+       jq -r '.Tags[]' | sort -V)
+
+     # Find tags newer than current
+     NEWER_TAGS=$(echo "$AVAILABLE_TAGS" | awk -v cur="$CURRENT_TAG" '$0 > cur')
+   done
+   ```
+
+   **Interpret base image check results:**
+
+   - **Newer base image tag available** → the fix may already be in a newer tag. Update the `FROM` line in the Dockerfile:
+     ```bash
+     LATEST_TAG=$(echo "$AVAILABLE_TAGS" | tail -1)
+     sed -i "s|${BASE_IMAGE}|${IMAGE_REF}:${LATEST_TAG}|g" "$DOCKERFILE"
+     ```
+     - Create a PR with this change
+     - PR title: `fix(cve): CVE-YYYY-XXXXX — update base image to ${LATEST_TAG}`
+     - PR note: "⚠️ This CVE is in the base image layer, not application code. Updated base image from `${CURRENT_TAG}` to `${LATEST_TAG}`. Verify the new tag includes the fix for `${PACKAGE}` before merging."
+     - **Stop here — do not attempt application manifest fixes**
+
+   - **No newer base image tag available** → base image hasn't been updated yet:
+     - Do NOT create a PR (no code change to make)
+     - Add Jira comment: "CVE is in the base image layer (`${BASE_IMAGE}`). No updated base image tag is currently available. The base image team (e.g. AIPCC for `quay.io/aipcc/*`) needs to release an updated image before this can be resolved."
+     - Document in `artifacts/cve-fixer/fixes/base-image-pending-CVE-YYYY-XXXXX.md`
+     - Print: "⚠️ CVE-YYYY-XXXXX is in base image ${BASE_IMAGE} — no fix available yet. Jira comment added."
+     - **Stop here — skip VEX justification and PR creation**
+
+   - **No Dockerfile found** → package may be a transitive or RPM dependency. Fall back to original guidance:
      - **Do NOT blindly add a direct dependency** — this can cause version conflicts or unnecessary bloat
      - Instead, document the situation and create PR with guidance:
        - **Go**: transitive deps require a `replace` directive in go.mod — add it only if intentional
-       - **Python**: adding to requirements.txt may conflict with what pip resolves transitively; prefer updating the parent package that pulls it in
+       - **Python**: prefer updating the parent package that pulls it in; use `pip-compile` to trace the dependency
        - **Node**: use npm `overrides` to force a safe version without adding a direct dep
-     - Include note in PR: "⚠️ Package not found directly in manifests — may be a transitive or RPM-installed dependency. Manual review required to confirm the right fix approach."
-   - **Both scan AND version check find nothing** → CVE not present in this repo. Do NOT create a PR.
+     - Include note in PR: "⚠️ Package not found in application manifests — may be a transitive or RPM-installed dependency. Manual review required."
+
+   - **Both scan AND version check find nothing AND no base image issue** → CVE not present in this repo. Do NOT create a PR.
      Determine the appropriate VEX "Not Affected" justification and add it to the Jira issue:
 
    **5.2.2: Determine VEX justification**
